Maintaining Comprehensive Documentation

00:00

Hello again. Your cyber, a pencil pushers and regulatory writers of riffraff. This is implementing a HIPPA compliance program for leadership less than 2.8. And this is our last lesson in module to where this is where we're gonna maintain all our daughter dies in your twisted teas and ensuring your HIPPA compliance program is maintaining a comprehensive documentation program.

00:19

So get your word. Perfect word processors out on your commodore 60 fours.

00:23

Well, wait, hang on a second. Maybe we should go about this another way.

00:28

Documentation is the one component of any security program that you can absolutely guarantee your people will hate. As Will Ferrell, the actor has been quoted to say, Before you marry a person, you should first make the music computer or slow Internet to see who they really are. If you want to test your people, have them write some of your documentation.

00:44

I'm always amazed at the liberty some people use with business concepts such a spelling,

00:49

And how many acronyms can one person put in a sentence? But one of the most critical parts of your compliance is that you and your team are recording your efforts. Your progress your strengths and your weaknesses. This is why documentation is the biggest and most important aspect of compliance. No organization is going to get 100% on their hip audit.

01:06

There is always a fail somewhere and lots of areas that require improvement.

01:08

But if you have your progress documented and where you are in your re mediation and when you will complete your work efforts while you're still going to get a pass from the auditor, it's not having the answers and not having the proof of those answers via documentation to back it up. Well, that's your program status against the control, and you need to be able to prove it, and you need to be able to show it.

01:27

This is when you and your team

01:30

mostly use a leader. Start understanding what it's like to take a bath in boiling water when you don't have a documented. And the most important aspect of documentation is that it's your key to the city. The ultimate reference that your organization actually cares about protecting patient data. Documentation, really is that important.

01:47

So there are a ton of reasons why documentation help you with compliance, but it just name a few. All of the hard work and effort your team performs this year to make your program better makes next year that much easier. And following the documentation trail is the only way to make sure you're not duplicating your efforts. Answering questions with documentation for your new employees, emphasizing the key concepts of privacy and security

02:07

during your recurring

02:07

employee training exercises and your policies, procedures and best practices the organization demands its partners and business associates follow to comply with how you want your P h i n e p h I secure.

02:20

And the best way to answer questions is to point out where the individual can find the answers or when they don't know how you want them to perform a task. Well, it's gonna all be in your documentation.

02:30

And one of the biggest reasons documentation helps you is that it's the most important Get out of jail free card you have when the auditors in your conference room and looking at compliance and your shortcomings. But I want to pause you and remind you that when it comes to audits and enforcement of hippos regulations, things are always going to start with an email notification and a phone call that a complaint has been filed

02:49

or a violation has popped up its ugly head.

02:51

And the first task will be to look at your documentation. And most of the time your documentation will be enough to satisfy the OCR s investigation and closed the case. Or when a shortcoming is identified in your program and it happens because you know what we're trying to improve. But we're far from perfect. Well, women that pops up its head and we have some shortcomings and they're called out,

03:09

long as we can show that we're not just aware of the issue but working on the remediation of the issue.

03:15

With this date, as the expected resolution date noted, check. And then we can move on to the next item on the auditors list. And when I or any other auditor walks into your office using me as an example, I've never been to your office. I've never seen your network. What better way to familiarize a stranger to your network and your privacy program? Explain your current posture and state of controls

03:35

through your drawings and your documentation.

03:38

So what exactly your organization's HIPPA documentation requirements. The safe. Answer everything. If it involves Ph. I, you are safest. If you're documenting the whole in out across of the event who was involved? What work effort was performed, Where did the event occur? How was the work performed? Why was the work performed?

03:53

Documentation should also be telling the story of your overall security posture and your programs past current and future ability

04:00

to comply to the hip of privacy and security standards. And your documentation should answer the questions that an outside entity like an auditor or when you hire a new department manager, the questions they may pose like what is your overall security posture? What security controls do you have in place and whether you're gaps

04:15

that you are in the process of working remediation on from a risk and vulnerability perspective and so on.

04:20

One of the things I always recommended the compliance or privacy officer is to keep a three ring binder, and then you have a tab for every hipper, required and addressable safeguard that's called out by the regulation regulation. Things could be pulled down and easily reference from the HHS website and then in the binder under each control tab. You've documented your administrative,

04:39

physical and technical safeguards and how you've implemented him

04:43

thes with controls. The auditor is going to be looking at documentation truly is your biggest control and your biggest headache. But if done well, documentation is also your program's biggest problem solver.

04:54

So some of the documentation best practices air basic in principle, but their importance can't be ignored. The first concept around your documentation is that you need access controls, control, who has access to your documentation and who has the rights to read it and write to it. You need standards around version control, IE change, control the process and procedures around updating and changing your organization's documentation.

05:14

You need to create policy and standards around branding

05:15

and the use and application of your corporate logo and data classifications. I e. What constitutes private and confidential information that should be on the need on a need to know rights and privilege control. And what data is not P II or Ph I. But still considered not for public view what data can be shared with business associates and what data is free and open to all.

05:35

And what about that fancy new type of data we learned about in an earlier lecture that de identified data.

05:41

This is another type of documentation that our organization needs policy on, so that our team members can agree on what fields and our electronic forms need to be redacted to take personally identifiable data down a few notches so that the forms now meet our organizations criteria and standards for de identified data. And we need to care about how we store and archive our documentation,

06:00

an archive it with the appropriate back up in business continuity capabilities.

06:03

And you're gonna remember how we have to keep our networks logs for six years. Well, we need to make sure we're archiving and storing our documentation according to the terms dictated by hip and our state laws and one of the principles of data and documentation often dismissed and neglected what our policies and procedures for the destruction of data. How are paper records destroyed?

06:23

How are electronic records destroyed?

06:25

And how can we make sure that one of our employees hasn't left unidentifiable record on the printer or in a wastepaper bin where someone can just grab it and start grabbing Social Security numbers? and credit card information. You can see that just documentation alone. Well, there's a need for a dedicated individual to your hipper program,

06:41

and that's why this individual might have the title of compliance officer or privacy officer.

06:46

I'm afraid it's that time again. Time for Open book Open notes. Open smartphone High Pressure Aptitude Test The Dreaded Cyber A lecture quiz question so named three objectives that HIPPA documentation seeks to satisfy. So hit Pause. Make sure you have a fresh writing utensil in a clean piece of paper.

07:00

Remember that we have a policy for the destruction of your paper with it's answers on it, that we have to follow the policies to stretch the document immediately.

07:08

And so the shredding and water so that it can't be reassembled. So now you got all that. Okay, well, then, when you're ready, here resume and we'll review our answers together.

07:16

Okay, so documentation is our hippos programs most important control falling into the administrative control category and is without question. One of the biggest challenges that are HIPPA compliance program must solve our documentation, helps show how we are compliant and where we fall short from the standards and what we're gonna do about it. It shows the reader where our program waas,

07:35

how much stronger it is today

07:38

and how much better it will be next year when all of our identified remediation work is done and it's the winner. Hands down Documentation is everyone's favorite pastime. Nothing is more fun than spending a day writing security policy about when we can and when we can't print a document to our local printer, just plain old good times right there, I'm telling you,

07:57

just outstanding fun.

07:59

So in today's lecture, we learn way more than we wanted to about documentation. And, no, it's not fun stuff. But documentation really is our biggest and most important control. And unfortunately for most organizations out there, it's one of their weakest safeguards. The organization will be weak and written policy, data handling and use, and the network documentation will be old or much of it's missing.

08:16

And documentation is the most important aspect of compliance.

08:20

Your documentation shows what you've done and where you're going. If there's ever a complaint that has to be investigated, it's your documentation that would be looked at first. It is by documenting the who what when, where and why and the entire Ph I record lifecycle. Well, it's this documentation that will show the investigator that our people did their job. They protected the security and privacy of the patient,

08:39

and now they could go call on someone else and let us get back to our paper shredder because we're busy

08:45

reviewed some of the necessary documentation policies and how we need data classification and data handling procedures, including my favorite, our documentation destruction procedure. When do we shred? When do we erase? When do we destroy that hard drive? By taking it out to our favorite golf driving range and using our brand new jumbo head driver. So that's it for module to

09:03

our next stop is Module three, where we begin our journey and rolling out our HIPPA compliance program.

09:09

I'm really excited and hope you are, too, because now the real fun begins.

09:13

So on behalf of all of us here at Cyber A thanks for playing through and we hope you enjoyed module to, I'm really excited about Module three, where we're getting ready to roll out our HIPPA compliance program. So on behalf of all of us here, it's cyber thanks so much. We hope you've enjoyed the course so far. We want you to take care and make sure that you're, you know,

09:33

score your scorecard. Yeah, you need to be honest about that. Because how do you know if your,

09:37

like, compliance improving, right? You just can't be like taking a scratch on everything when really, it's like an eight or nine on a part three, you know? I mean,